EU General Data Protection Regulation

After many years in the making, the new European Union (EU) framework ensuring the privacy rights of EU residents has been completed.Below is a brief outline of the salient points.

The reform consists of two instruments:

The General Data Protection Regulation (GDPR) will enable people to better control their personal data. At the same time, modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.

The Data Protection Directive (DPD) for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same, time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.

This most important reform was agreed in December 2015 and should be ratified in the EU Parliament in the course of January 2016, after which it will immediately become law. The GDPR being a Regulation rather than a Directive becomes immediately applicable without having to go through local parliaments; member states will have up to two years to implement the Regulation.

The purpose of the GDPR is to establish a single set of rules across Europe regarding personal data, therefore simplifying doing business in the EU.

The regulation applies to data controllers (those who control the data) or processors (those who process data) or to data subjects (persons) based in the EU. It also applies to organisations based outside of the EU if they process personal data of EU residents.

Personal data is defined in both the GDPR and the DPD as any information relating to a person who can be identified directly or indirectly in their personal, private or work roles, i.e. "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

The GDPR clearly distinguishes the responsibilities and duties of the controllers and of the processors. It states that controllers should only engage with those processors that will provide “sufficient guarantees to implement appropriate technical and organisational measures” to protect data subjects’ rights.

Organisations that do not comply with the new regulation will be subject to heavy fines that can go up to €10M or 2% of the organisation global gross revenue. The violations include such things as violations of record keeping, of security, of breach notification.

An independent Data Protection Officer must be appointed by public authorities processing personal data or by organisations which core activity of their controller or their processor involves regular and systematic monitoring of data subjects on a large scale.

The Data Protection Officer is under the legal obligation to report any personal data breach to the appropriate supervisory authority without undue delay.

The data processor must notify the controller of any personal data breach experience but has no other notification or reporting obligation.

Privacy settings are fixed at a high level. Data protection safeguards must be designed into products and services offered at the earliest stage of development; this is Privacy by design.

According to the GDPR, consent is to mean “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. Although consent in itself by the data subject does not need to be explicit, it should be made clear to him or her what their data is going to be used for at the point of collection of the data.

Persons must have access to information in how their data is processed; this information must be made available in a clear and understandable language.

A data subject has the right to request that his/her personal data be erased on a number of grounds, including if the data is no longer required for the reason for which it was collected. Controllers must take reasonable steps to notify processors and other downstream data recipients of such requests.

It is worth mentioning here the difference of the approach to privacy policy in the EU and in the US. In the EU, privacy policy is considered to be a human right, in the US it is seen as consumer protection.

The above is a brief overview of the most salient aspects of GDPR and detailed information should be obtained from the original document or your lawyer. The information above is provided for informational purpose only and should not under any circumstance be construed as legal advice and may not be relied upon as such.